[php-maint] Bug#500087: Bug#500087: CVE-2008-4107: The rand and mt_rand functions in PHP produce weak random numbers
Raphael Geissert
atomo64 at gmail.com
Thu Sep 25 23:00:38 UTC 2008
2008/9/24 Stefan Fritsch <sf at sfritsch.de>:
> Package: php5
> Version: 5.2.6-3
> Severity: important
> Tags: security
>
>
> >From CVE-2008-4107:
> The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce
> cryptographically strong random numbers, which allows attackers to
> leverage exposures in products that rely on these functions for
> security-relevant functionality, as demonstrated by the password-reset
> functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different
> vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.
IIRC it is just about calling mt_rand a couple of times every now and
then without using the generated values.
>
>
> The advisory
> http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
> talks about a new suhosin release that fixes this in php and not in the
> applications. Maybe this fix could be backported to lenny once it becomes
> available?
Blocked by #498621, see #497871
>
>
>
Cheers,
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
More information about the pkg-php-maint
mailing list